Hello Team, We have problem using management client in restricted environment where user can send/receive messages only to specified destinations. I would like to clarify how ActiveMQ Artemis management client works and if it is correct.
I have created Artemis broker instance with --allow-anonynous-access option and audit logs enabled. Then I have run management client example from ActiveMQ Artemis github repo (mvn verify -PnoServer) and collected the logs. First it sends an example message to exampleQueue, then connects with management client, and first audit log message is: 2023-08-28 13:21:15,729 [AUDIT](Thread-1 (ActiveMQ-server-org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl$6@31da6b2e)) AMQ601065: User admin(amq)@127.0.0.1:54463 is creating a queue on target resource: ServerSessionImpl() with parameters: [QueueConfiguration [id=null, name=231844ae-cc6c-493e-93f8-9b6714b102c2, address=231844ae-cc6c-493e-93f8-9b6714b102c2, routingType=ANYCAST, filterString=null, durable=false, user=null, maxConsumers=-1, exclusive=null, groupRebalance=null, groupRebalancePauseDispatch=null, groupBuckets=null, groupFirstKey=null, lastValue=null, lastValueKey=null, nonDestructive=null, purgeOnNoConsumers=false, enabled=null, consumersBeforeDispatch=null, delayBeforeDispatch=null, consumerPriority=null, autoDelete=null, autoDeleteDelay=null, autoDeleteMessageCount=null, ringSize=null, configurationManaged=null, temporary=true, autoCreateAddress=null, internal=null, transient=null, autoCreated=false, fqqn=null]] Even if we grant permissions to activemq.management address, client cannot connect because it tries to create a temporary address with uuid-like name with temporary queue. To make it work we need to grant createAddress, createNonDurableQueue, send and consume to all queues by # wildcard, but it is not suitable for environment with fine-grained authorizations. We would like to make possible for users to connect to Artemis with management clients like JMSToolBox without adding unnecessary permissions. Is it possible to make management client use predefined address for temporary queues or some temporary address prefix? -- Best regards, Aleksandr ----------------------------------- This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient any use, distribution, copying or disclosure is strictly prohibited. If you have received this message in error, please notify the sender immediately either by telephone or by e-mail and delete this message and any attachment from your system. Correspondence via e-mail is for information purposes only. AO Raiffeisenbank neither makes nor accepts legally binding statements by e-mail unless otherwise agreed. -----------------------------------
